Hackers stole payment card data of 1-800-Flowers website

Buying a gift for a birthday or mother’s Day could have been truly harmful for many people. Digital forensics specialists from the International Institute of Cyber Security reported that payment card information of the online flower shop 1-800-Flowers customers has been stolen due to a security issue persistent for about four years.

Ontario Inc., the Canadian flower sale site operator, has notified the California attorney General’s office in compliance with the data breach notification procedure at Golden State. The company mentioned that its information security and digital forensics team identified anomalous behavior in their systems; a subsequent investigation showed evidence of unauthorized access to the payment card information used by the company’s customers.

According to the company’s reports, the compromised information includes users’ full names, payment card numbers, expiration date, and card security code.

As if it was not enough, Ontario Inc. also mentioned that, according to the estimates of its digital forensics team, the exposure of this information lasted from August 2014 to September 15 of the current year. The data extraction malware injection is one of the probable causes of the security incident, although this does not explain how the data exposure could persist for four years, so it is thought that a critical vulnerability or some error with 1-800-Flower website configuration could be the main reasons why the problem persisted for so long.

The company has not revealed the number of affected users. However, data protection legislation in California requires that this kind of incidents be notified when 500 or more Californians have been affected; in addition, a local media has reported that about 75k orders to 1-800-Flowers would be involved in the incident. On the other hand, a spokesperson for the company has stated that only “a small number of orders” have been affected. In addition, he said that the company’s main website for the United States appears to be exempt from any security breach.

“In Ontario Inc. we take the security of our customers’ personal information as a really serious matter”, the spokesman said. “We have taken the necessary measures to prevent these kinds of incidents from reappearing in the future; for example, we have redesigned the company’s website in Canada and implemented additional security measures. In addition, we are working with any partner who operates with payment card information so that any institution issuing payment cards is notified,” he added.

Information security specialists are concerned about the growing number of recently occurred security incidents, such as data breach in the Marriott hotel chain, the U.S. Postal Service and the Quora Q&A web platform.